Loading cloud evidence
You can load the following cloud-based evidence sources: AXIOM Cloud images, Apple warrant returns, Facebook Download Your Information archives, Facebook warrant returns, Instagram Download Your Data archives, Instagram warrant returns, Google Takeout archives, Google warrant returns, Microsoft Office 365 Unified Audit Logs, Skype exports, Skype warrant returns, Slack archives, and Snapchat warrant returns, and Twitter warrant returns.
When you acquire a cloud evidence source, AXIOM Process creates a .zip file containing the hashed cloud image. You can load this cloud image into AXIOM Processif you want to process the evidence as a part of another case.
Note: AXIOM Process allows you to load and process warrant return files provided by Apple, Facebook, Google, Instagram, Skype, and Snapchat. Sometimes, the platform providing the warrant return file make changes to its format which might impact the ability for AXIOM Process to process the warrant return package.
For a current list of any known changes to our ability to process warrant returns and the approximate dates of warrant returns AXIOM Process is known to support, please log in to the Customer Portal to read the following article: Status of supported cloud acquisition platforms. If you are unable to process a warrant return outside of these dates, please contact Magnet Technical Support.
Load a cloud image
Before you load a cloud image, make sure you have the appropriate user permissions to access the file.
If you're loading an Apple warrant return, make sure you decrypt the package using the instructions provided by Apple. For more information, log in to the Customer Portal to review the Prepare Apple warrant returns for acquisition article. After you've decrypted the package, AXIOM Process can decrypt encrypted backups contained within the decrypted warrant return.
If you're loading a .zip file from the Facebook Download your Information option, make sure the content is in JSON format. By default, Facebook downloads the information in HTML. For steps on how to download the .zip file, see How do I download a copy fo my information on Facebook?
- In AXIOM Process, click Evidence sources > Cloud > Load evidence.
- Select the type of image you want to load.
- Browse to the image and click Open.
- To continue setting up your case, click Next.
Note: If you load an AXIOM Cloud .zip file that was created in a newer version of AXIOM Process than the version you are currently using, it's possible that you might recover less evidence.
Supported evidence sources
You can load the following cloud evidence sources in AXIOM Process:
| Platform | AXIOM Cloud | Magnet AXIOM Cyber | image type | Description |
|---|---|---|---|---|
| Apple | ✓ | ✓ | Warrant return | Use this option to load .zip files provided by Apple for warrant returns. |
| ✓ | ✓ | Warrant return |
Use this option to load .zip files provided by Facebook for warrant returns. |
|
| ✓ | ✓ | Download Your Information | Use this option to load .zip files generated from the Download Your Information (JSON) option in Facebook. | |
| ✓ | ✓ | Google Takeout | Use this option to load .mbox files, and .zip files that are generated when a Google Takeout archive is created. | |
| ✓ | ✓ | Warrant return | Use this option to load .zip files provided by Google for warrant returns. | |
| ✓ | ✓ | Warrant return | Use this option to load .zip files provided by Instagram for warrant returns. | |
| ✓ | ✓ | Download Your Data | Use this option to load .zip files generated from the Data Download (JSON) option in Instagram. | |
| Magnet Forensics | ✓ | ✓ | AXIOM Cloud image | Use this option to load an AXIOM Cloud image that has already been acquired. |
| Microsoft Office 365 Unified Audit Logs | ✓ | Audit logs | Use this option to load Microsoft Unified Audit log .csv files generated using the Microsoft Security and Compliance Center. | |
| Skype | ✓ | ✓ | Warrant return | Use this option to load .zip files provided by Skype / Microsoft for warrant returns. |
| ✓ | ✓ | Skype export | Use this option to load .tar files generated from the Export files and chat history option in Skype. | |
| Slack | ✓ | Slack archives | Use this option to load .zip files of Slack archives (JSON) files generated from the standard and corporate workspace data exports in Slack. | |
| Snapchat | ✓ | ✓ | Warrant return | Use this option to load .zip files provided by Snapchat for warrant returns. |